Model Based Prediction Technique for Denial of Service
Attack Detection
Tinju Grace Varghese, 4th Semester Mtech Student, Caarmel Engineering College, Perunad
Salitha M.K, Assistant Professor, Caarmel Engineering College, Perunad
Abstract
All the interconnected systems since the early days of
commercially used internet, its system and network
infrastructure have always been target of malicious
parties. A denial of service attack is regarded as a
major threat because of its ability to form a huge
volume of unwanted traffic. It is hard to detect and
respond to DoS attacks due to large and complex
network environments. A prediction method is then
proposed, in which the attacker behaviour can be
predicted using a linear predictive coding. It uses a
multivariate correlation analysis for accurate
network traffic characterization by extracting the
geometrical correlation between extracted and
normalized network features. Finally, the proposed
prediction method is investigated to predict DoS
attacks through simulation studies.
Index terms – Denial of service attack, multivariate
correlations, linear predictive coding.
I.INTRODUCTION
As internet use is growing at an astounding rate, so
also is the cyber-attacks by the hackers. These
hackers exploit the flaws in the internet protocols,
operating system and application software. So the
Network security consists of policies to prevent and
monitor unauthorized access, misuse and denial of
service. Normally a packet contains IP address of
the computer that originally sent it. But a sender IP
address can be faked characterizing a spoofing
attack which hides the source of the packets; for
example in the case of denial of service attack. A
potential solution involves intermediate internet
gateways filtering or denying any packet deemed to
be illegitimate.
Denial-of-service (DoS) attacks are often annoying
to the online users. DoS attacks severely degrade
the performance of the victim and deny the service
for a specific period of time from a few minutes to
a long period of time. This causes serious damages
to the services running on the victim. Therefore,
effective detection of Denial of service attacks are
essential for easy access of services.
Internet based denial of service attack can be
classified into 2 ways namely direct denial of
service attack and indirect denial of service attack.
Direct denial of service attack model is focused to
take down a specific network or computer. Indirect
denial of service attack model is more spreading
and affects a large number of computers. So, efforts
must be taken for the development of network
based detection systems. These detection system
monitor traffic transmitted over the protected
network and ensure that the servers can dedicate
themselves to provide good quality of service to the
users with minimum delay in response.
The different ways by which the network attack can
be detected are mainly classified into two namely,
misuse-based detection systems [1] and anomaly
based detection systems [2]. Misuse based
detection system detect network activities and look
for matches in the existing attack signatures. Even
though the misuse based detection systems can
detect the existing attacks faster and low false
positives, they are easily evaded by new attacks
and variants of existing attacks. Another
disadvantage of the system is that the signature
database needs to be updated regularly and the
updating process is manual and labour intensive.
The disadvantages of the misuse based detection
system led to the discovery of anomaly based
detection system. It monitors and flags any network
activities presenting significant deviation from the
legitimate traffic as suspicious.
II.RELATED WORKS
The system based on techniques such as data
mining [3], machine learning [4] and statistical
analysis [5], [6] generally suffers from high false
positives. This is due to the fact that it neglects the
correlation between the features so the recent
studies have focused on feature correlation analysis
[7]. Yu et al. [8] proposed an algorithm to
discriminate DDoS attacks from flash crowds by
analysing the flow correlation coefficient among
suspicious flows. It is found that DDoS attack
flows possess higher similarity compared with that
of flash crowd flows under the current conditions
of botnet size and organization so a flow
correlation coefficient is used as a metric to
measure the similarity among suspicious flows to
differentiate DDoS attacks from genuine
flashcrowds. But it has the following issues such as
the trade-off between detection accuracy and cost
and also once the detection strategy is known to
attackers, it may develop new strategies to disable
the detection.
A covariance matrix-based approach was designed
in [9] to mine the multivariate correlation for
sequential samples. Although the approach
improves the detection accuracy, it is vulnerable to
attacks that linearly change all monitored features.
To deal with the above problems; an approach
based on triangle area was presented in [10] to
generate better discriminative features. However,
this approach has dependence on prior knowledge
of malicious behaviors. More recently, Jamdagni et
al. [11] developed a refined geometrical structure
based analysis technique, where Mahalanobis
distance (MD) was used to extract the correlations
between the selected packet payloads. In the paper,
a 3-Tier Iterative Feature Selection Engine
(IFSEng) for feature subspace selection is used.
Principal Component Analysis (PCA) technique is
used for the pre-processing of data. Mahalanobis
Distance Map (MDM) is used to discover hidden
correlations between the features and between the
packets. Mahalanobis Distance (MD) dissimilarity
criterion is used to classify each packet as either a
normal or an attack packet. But the disadvantage of
the system is that it has high false positives and less
accuracy. In [12], Tan et al. proposed a more
sophiscated non payload based DoS detection
approach using multivariate correlation analysis.
Most existing IDS are optimized to detect attacks
with high accuracy. However, it still has various
disadvantages that have been outlined in a number
of publications and a lot of work has been done to
analyse IDS in order to direct future research.
Besides others, major drawback is the large amount
of alerts produced. Network intrusion detection
systems and network prevention systems are placed
at the ingress and egress points of the network in
order to detect and prevent the anomalous traffic.
As the resources of the interconnected system such
as the web servers, database servers, cloud
computing severs, etc. are located in the service
providers local area networks that are commonly
constructed using the same or alike network
underlying infrastructure and are compliant with
the underlying network model, the model based
detection system can provide effective protection to
all of these systems by considering their
commonality.
III.SYSTEM ARCHITECTURE
The Fig 1 depicts the system architecture of the
proposed work. The whole detection process
consists of three steps. The sample by sample
detection mechanism is involved in the whole
detection process.
Fig 1: System Architecture
In the first step, the basic features are extracted
from the network traffic and form a traffic record
for a specified period of time. The features
extracted include the number of requests from each
id, download size, protocol etc. Once the features
are extracted, it needs to be normalized to avoid the
abnormalities from the raw data.
The second step is multivariate correlation analysis
[13] which is applied to extract the correlations
between two distinct features within each traffic
record coming from the first step. The occurrence
of network intrusions causes changes to this
correlation so that the changes can be used as
indicators to identify intrusive activities.
In the third step, a model based prediction
technique is used from which the attacker
behaviour can be found based on historical data. It
relies on the dynamic models of the process. It has
the ability to anticipate the future events and can
control actions accordingly. This helps in the early
detection of attacks.
IV.SAMPLE BY SAMPLE DETECTION
Jin et al. [9] proved that the group based detection
mechanism maintained a higher probability in
classifying a group of sequential network traffic
samples than the sample by sample mechanism. It
was proved based on the assumption that the
samples in a group were all from the same class.
This restricts the application of group based
detection to limited scenarios, because attacks can
occur unpredictably and it is difficult to obtain a
group of sequential samples only from the same
class.
To overcome this limitation, the proposed work
investigates the samples individually. As a result of
sample by sample detection, attacks can be detected
in a prompt manner, intrusive samples can be
labelled individually and the probability of
correctly classifying a sample into its population is
higher than the one achieved using the group based
detection mechanism. The sample by sample
detection mechanism is illustrated through
mathematical example in [9].
The dataset is first selected and read the features
from it. The dataset includes the following features
such as network id, time of access, data accessed,
client supported type, status and the number of
bytes of data accessed. From the dataset, 100 rows
of data are selected and the corresponding network
id, status of request, data size and client supported
type are analysed. In addition to this, total bytes of
data downloaded are also calculated. Basic features
generated from the network traffic are used to form
traffic records for a well-defined time interval.
Features like message size, protocol usage and
number of request are extracted. The number of
requests coming from unique network id and total
data access by unique network id is also calculated.
V.MULTIVARIATE CORRELATION
ANALYSIS
The coefficient of multiple correlations is a
measure of how well a given variable can be
predicted using a linear function of a set of other
variables. It is measured by the square root of
determination, but under the particular assumptions
the best possible linear predictors are used and the
intercept is included, whereas the coefficient of
determination is defined for more general cases,
including nonlinear prediction in which the
predicted values have not been derived from a
model-fitting procedure. The multiple correlation
takes values between zero and one; a higher value
indicates a better predictability of the dependent
variable from the independent variables, with a
value indicating that the predictions are exactly
correct and a value of zero indicating that no linear
combination of the independent variables is a better
predictor than is the fixed mean of the dependent
variable.
Multivariate correlation analysis is done in which
triangle area map generation is applied to extract
the correlations between two distinct features
within each traffic record coming from the previous
step. The occurrence of network intrusions cause
changes to these correlations so that the changes
can be used as indicators to identify the intrusive
activities.
Algorithm for normal profile generation:
Step 1: Begin for loop.
Step 2: Divide sample into 9 slices.
Step 3: Calculate each slice correlation.
Step 4: End for loop.
Step 5: Estimate mean and standard deviation.
Step 6: Profile generated by storing mean and
standard deviation in a variable.
VI.PREDICTION TECHNIQUE
Once a prediction model is trained, it can then be
used for predicting the unknown values
of the
target output. Modelling techniques consist of two
main phases: training and testing. In the training
phase, prediction models are derived from a
training data set that contains previously executed
queries(i.e., training workload) and the observed
performance values(i.e., execution times). In this
phase, queries are represented as a set of features
with corresponding performance values. The goal
in training is to create an accurate and concise
operational summary of the mapping between the
feature values and the observed performance data
points. The prediction models are then used to
predict the performance of unforeseen queries in
the test phase.
In the fourth step, LPC technique is used to
compute the mean, standard deviation and it can be
used to predict the model. Prediction error is the
difference between actual and expected results. The
abnormal traffic can be analysed using the
prediction error. To improve the detection
efficiency, trained neural networks are used. Four
metrics namely, true negative rate (TNR), detection
rate (DR), false positive rate (FPR) and accuracy is
used to evaluate the overall performance of the
proposed system.
Algorithm for prediction technique:
Step 1: Collect network traffic packets and flow
information in real-time.
Step 2: Pre-process network traffic by cumulatively
averaging it.
Step 3: By using the prediction model, predict the
network traffic.
Step 4: Find out the prediction error by:
Err (n) = X (n) – X p (n)
X p (n) = -A (2)*X (n-1) – A (3)*X (n-2) - ... – A
(N+1)*X (n-N)
A= [1 A (2) ... A (N+1)], of an Nth order forward
linear predictor.
Step 5: Detect the abnormal traffic by analysing
prediction error.
Step 6: Detect DoS by using trained neural
network.
VII.EXPERIMENTAL RESULTS AND
DISCUSSION
The evaluation of the model based prediction
technique for denial of service attack detection
system is conducted using KDD cup 99 dataset
[17]. The dataset is publicly available and is mainly
used in the intrusion detection studies. The overall
evaluation process is as follows. First, the MCA
approach is assessed for its traffic characterisation.
In the training phase, the normal profile generated
is used to find the correlation between the features.
Changes to the geometrical structure may occur
when anomaly behaviour appears. This provides a
way to detect attacks. In order to accurately detect
attack, in the testing phase linear predictive
technique is used. Using this technique, the mean
and standard deviation is computed and it can be
used to predict the model. As a result, the attack
can be detected based on the ground truth value.
The performance of the LPC technique can be
represented using the confusion matrix as shown in
Fig 2. Confusion matrix is a specific table layout
that allows visualization of an algorithm. Each
column of matrix represents instances in a
predicted class and each row represents instances in
actual class.
Consider 23 samples to determine the performance.
Confusion matrix is generated using the following
data.
Targets = [0 0 0 1 1 0 1 1 1 0 0 1 0 0 0 1 1 1 0 0 1 1
1]
Outputs = [0 0 0 1 0 0 1 1 1 0 0 1 0 0 0 1 1 1 0 0 1
1 1]
Table 1: Metric Table
Ground Truth
Value
Predicted
Value
Metric
0
0
True Negative
1
1
True Positive
1
0
False Positive
0
1
False Negative
The TPR, FPR, TPR, FNR calculated with the help
of the metric table as shown in Table 1.
True Positive Rate = TP / TP + FN
= 11 / 11 = 100%
False Negative Rate = FN/ TP + FN
= 0 / 11= 0
False Positive Rate = FP / TN + FP
= 1 / 12 = 8.3%
True Negative Rate = TN / TN + FP
= 11 / 12 = 91.7%
Accuracy = TP+TN / TP+FN+FP+TN
= 22 / 23 = 95.7%
Thus from the confusion matrix, it can be
concluded that the accuracy of detection is 95.7%.
The below Fig 3 depicts the ROC curve using a
threshold classifier. It can be found from the graph
that using threshold based attack detection accuracy
of only 80% is obtained and there are chances that
the actual attacks below the threshold value cannot
be detected. In order to overcome this linear
predictive technique is used in which by varying
the threshold values the actual attacks can be
detected with an increase in detection accuracy.
Fig 2: Confusion Matrix
equivalent to that of attacks. The proposed
prediction method to predict DoS attacks is
investigated through simulation studies. Evaluation
has been conducted using KDD Cup 99 data set
[15] to verify the effectiveness and performance of
the proposed DoS attack detection system. The
influence of original (non-normalized) and
normalized data has been studied. In the future, the
model can be tested using real world data and
employ more sophiscated classification techniques
to further alleviate the false positive rate.
REFERENCES
Fig 3: ROC curve for threshold classifier.
Fig 4: ROC curve of the existing and proposed
system.
The above Fig 4 depicts the comparison of the
ROC curve using the threshold based detection and
linear prediction technique. It is clear from the
figure that the proposed system increases the
detection
accuracy
and
reduces
the
misclassification.
VIII.CONCLUSION AND FUTURE
ENHANCEMENT
No matter whether there are attacks undergoing, if
a server is overloaded even by normal service
requests, the effect imposed to a service system is
[1] V. Paxson, “Bro: A System for Detecting Network Intruders
in Real-Time,” Computer Networks, vol. 31, pp. 2435-2463,
1999.
[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and
E. Vzquez, “Anomaly-Based Network Intrusion Detection:
Techniques, Systems
and Challenges,” Computers and
Security, vol. 28,pp. 18-28, 2009.
[3] K. Lee, J. Kim, K.H. Kwon, Y. Han, and S. Kim, “DDoS
Attack Detection Method Using Cluster Analysis,” Expert
Systems with Applications, vol. 34, no. 3, pp. 1659-1665,
2008.
[4] J. Yu, H. Lee, M.-S. Kim, and D. Park, “Traffic Flooding
Attack Detection with SNMP MIB Using SVM,” Computer
Comm., vol. 31, no. 17, pp. 4212-4219, 2008.
[5] C. Yu, H. Kai, and K. Wei-Shinn, “Collaborative Detection
of DDoS Attacks over Multiple Network Domains,” IEEE
Trans. Parallel and Distributed Systems, vol. 18, no. 12, pp.
1649-1662, Dec. 2007.
[6] G. Thatte, U. Mitra, and J. Heidemann, “Parametric Methods
for Anomaly Detection in Aggregate Traffic,” IEEE/ACM
Trans. Networking, vol. 19, no. 2, pp. 512-525, Apr. 2011.
[7] S.T. Sarasamma, Q.A. Zhu, and J. Huff, “Hierarchical
Kohonenen Net for Anomaly Detection in Network
Security,” IEEE Trans. Systems, Man, and Cybernetics, Part
B: Cybernetics, vol. 35, no. 2, pp. 302-312, Apr. 2005.
[8] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang,
“Discriminating DDoS Attacks from Flash Crowds Using
Flow Correlation Coefficient,” IEEE Trans. Parallel and
Distributed Systems, vol. 23, no. 6, pp. 1073-1080, June
2012.
[9] S. Jin, D.S. Yeung, and X. Wang, “Network Intrusion
Detection in
Covariance Feature Space,” Pattern
Recognition, vol. 40, pp. 2185- 2197, 2007.
[10] C.F. Tsai and C.Y. Lin, “A Triangle Area Based Nearest
Neighbors Approach to Intrusion Detection,” Pattern
Recognition, vol. 43, pp. 222-229, 2010.
[11] A. Jamdagni, Z. Tan, X. He, P. Nanda, and R.P. Liu,
“RePIDS: A Multi Tier Real-Time Payload-Based Intrusion
Detection System,” Computer Networks, vol. 57, pp. 811824, 2013.
[12] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R.P. Liu,
“Denial-of- Service Attack Detection Based on Multivariate
Correlation
Analysis,” Proc. Conf. Neural Information
Processing, pp. 756-765, 2011.
[13] Zhiyuan Tan, Aruna Jamdagni, Xiangjian He, Senior
Member, IEEE, Priyadarsi Nanda, Member, IEEE, and Ren
Ping Liu,”A System for Denial-of-Service Attack Detection
Based on Multivariate Correlation Analysis” VOL. 25, NO.
2, Feb 2014.
[14]Learning-based Query Performance Modeling and
Prediction ;data engineering 2012 IEEE 28th international
conference on.
[15] M. Tavallaee, E. Bagheri, L. Wei, and A.A. Ghorbani, “A
Detailed Analysis of the KDD Cup 99 Data Set,” Proc.
IEEE Second Int’l Conf. Computational Intelligence for
Security and Defense Applications, pp. 1-6, 2009.
[16] S.J. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P.K.
Chan, “Cost- Based Modeling for Fraud and Intrusion
Detection: Results from the JAM Project,” Proc. DARPA
Information Survivability Conf. and Exposition (DISCEX
’00), vol. 2, pp. 130-144, 2000.
[17]A.A. Cardenas, J.S. Baras, and V. Ramezani, “Distributed
Change Detection for Worms, DDoS and Other Network
Attacks,” Proc.The Am. Control Conf., vol. 2, pp. 10081013, 2004.
[18]W. Wang, X. Zhang, S. Gombault, and S.J. Knapskog,
“Attribute Normalization in Network Intrusion Detection,”
Proc. 10th Int’l Symp. Pervasive Systems, Algorithms, and
Networks (ISPAN), pp. 448-453, 2009.